What you need to know about GDPR relating to Gravity Forms and GravityView

What is the GDPR?

The General Data Protection Regulation (GDPR) is a European Union regulation designed to protect private Personally Identifiable Information (PII) for all European Union citizens. In short, it is designed to protect users from unauthorized data collection from the websites they use. To do this, the GDPR requires that users give explicit consent to having their data collected.

The GDPR affects all companies that have users from the European Union, not only companies based in the E.U. If you have an online business or website, chances are that you will be affected by GDPR. Companies must be compliant by May 25, 2018.

What is Personally Identifiable Information (PII)?

Personally Identifiable Information is any information that can be used to identify a specific individual. This includes (but is not limited to):

Name

Address

ID Numbers

Web data such as:

Location

IP Address

Cookie data

RFID data

Biometric data

Racial, ethnic, or other demographic information

Political views and opinions

Sexual orientation and gender identity

Gravity Forms and Personally Identifiable Information

Any Gravity Forms field can potentially be used to gather the information listed above. Some information that can be considered sensitive and personally-identifiable (i.e. can tie the entry to a specific person) is gathered implicitly:

gf_entry.ip – A person’s IP address

gf_entry.user_agent – The type of browser being used

gf_entry.transaction_id – If making a purchase with the form, this is the payment ID connected to the payment processor

gf_entry.created_by – The WordPress user ID of the person

As such, if you are using Gravity Forms, you should be sure to make your website compliant!

GDPR and WordPress

The WordPress community is hard at work on some tools that help WordPress users get GDPR-compliant:

The easiest way to comply would be to add a required checkbox to any forms that need to be compliant. Adding a simple checkbox field that states something along the lines of “I consent to my submitted data being collected and stored” will usually do the trick.
Be sure to make it a required field, and the first part is done. This way, you’ll know that every submission is compliant because without providing consent, the submission would not complete.

As noted in the article, it’s very important to make this checkbox a required field. If your field is not required, any submitted entries that have not consented to data collection can be considered violations of GDPR.

User Data Requests and GravityView

Another part of GDPR-compliance requires that users are able to request and receive all of their personal information.

While the regulation merely requires that businesses provide the data “within a month”, we recommend simply setting up a View in GravityView that allows logged-in users to view, edit and delete the data themselves.